Abstract

Footnotes (173)

Using the URL or DOI link below will
ensure access to this page indefinitely

Based on your IP address, your paper is being delivered by:

New York, USA

Processing request.

Illinois, USA

Processing request.

Brussels, Belgium

Processing request.

Seoul, Korea

Processing request.

California, USA

Processing request.

If you have any problems downloading this paper,please click on another Download Location above, or view our FAQFile name: SSRN-id346506. ; Size: 225K

You will receive a perfect bound, 8.5 x 11 inch, black and white printed copy of this PDF document with a glossy color cover. Currently shipping to U.S. addresses only. Your order will ship within 3 business days. For more details, view our FAQ.

Quantity:Total Price = $9.99 plus shipping (U.S. Only)

If you have any problems with this purchase, please contact us for assistance by email: Support@SSRN.com or by phone: 877-SSRNHelp (877 777 6435) in the United States, or +1 585 442 8170 outside of the United States. We are open Monday through Friday between the hours of 8:30AM and 6:00PM, United States Eastern.

Personal Privacy and Common Goods: A Framework for Balancing Under the National Health Information Privacy Rule

The newly-introduced Standards for Privacy of Individually Identifiable Health Information represent the first systematic national privacy protections of health information. Flowing from a Congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the regulations protect the privacy of individually-identifiable health records in any form (including electronic, paper and oral) through disclosure and use limitations, fair information practices, and privacy and security policies that apply to "covered entities" (health providers, health insurance plans and health care clearinghouses) and their business associates.

Privacy safeguards are needed because of the personal nature of health data, the rapid shift from paper to electronic records, and actual and perceived risks of unwarranted disclosures. Existing health information privacy legal protections at the federal and state levels are fragmented, inconsistent, and variable. The new standards endeavor to protect patient privacy by limiting disclosures of individually-identifiable medical information (or "protected health information" (PHI)). Disclosure and use of PHI can only occur upon patient consent, subject to several exceptions outside the health care transaction setting. The regulations also implement fair information practices, which have long been a feature of existing federal laws. Fair information practices allow patients to (1) inspect and amend their records, (2) receive notice of covered entities' privacy practices and potential uses and disclosures of health information, and (3) request confidential communications and an accounting of actual disclosure.

Through the regulations, HHS attempts to set a "floor" for protections that, it suggests, "balance[s] the needs of the individual with the needs of society." Reaching this balance, however, is precarious. The national privacy rule does not always achieve a fair and reasonable allocation of benefits and burdens for patients and the community. We suggest a framework for balancing that values privacy and common goods, without a priori favoring either. We instead seek to maximize privacy interests where they matter most to the individual and maximize communal interests where they are likely to achieve the greatest public good. Thus, where the potential for public benefit is high and the risk of harm to individuals is low, we suggest that public entities should have discretion to use data for important public purposes. Provided that the data are used only for the public good (e.g., research or public health), and the potential for harmful disclosures are negligible, there are good reasons for permitting data sharing.

Conversely, if data are disclosed in ways that are unlikely to achieve a strong public benefit, and the personal risks are high, individual interests in autonomy should prevail. Consequently, for these kinds of disclosures, the law should strictly prohibit the release of information without the patient's consent. Through this framework we attempt to maximize individual and communal interests in the handling of identifiable health data.